Skip to content

[Request] [8.18, 9.0, and Serverless] Observables can be added to cases #6395

New issue
New issue
Closed
#6477
Closed
[Request] [8.18, 9.0, and Serverless] Observables can be added to cases#6395
#6477
Assignees
nastasha-solomon
Labels
Docset: ESSIssues that apply to docs in the Stack releaseDocset: ServerlessIssues for Serverless SecurityEffort: MediumIssues that take moderate but not substantial time to completeFeature: CasesCases issuesPriority: HighIssues that are time-sensitive and/or are of high customer importanceTeam: Threat HuntingFormerly Data VisibilityblockedAn issue that's currently blocked because it’s pending info or action from stakeholders.v8.18.0v9.0.0
@nastasha-solomon

Description

@nastasha-solomon
nastasha-solomon
opened on Jan 7, 2025

Description

Users can associate observables with cases for better tracking and analysis in incident response workflows. This improves investigative efficiency by correlating observables across multiple cases.

Misc. notes:

  • The max number of observables that users can create (via the Add observable modal) is 50.
  • The max number of observable types is 10.
  • This feature is GA'd in Serverless and will be released in 8.18/9.0.0 for ESS.
  • The Similar cases tab allows users to find other cases with the same observables (identical type and value).
  • Observable types can be managed from the Case settings page.
  • Only observables that belong to a non-deleted type are visible.

Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS updates are below. The Serverless updates will be the same.

Changes to the Configure case settings page:

Changes to the Open and manage cases page:

In the Manage existing cases section:

  • Add to the list of things users can do with cases. Link to the new “Create and manage observables” section.

ESS release

8.18 and 9.0

Serverless release

January 7, 2025

Feature differences

N/A

API docs impact

N/A

Prerequisites, privileges, feature flags

ESS license - TBD
Serverless feature tier - Essentials

Metadata

Metadata

Assignees

Labels

Docset: ESSIssues that apply to docs in the Stack releaseDocset: ServerlessIssues for Serverless SecurityEffort: MediumIssues that take moderate but not substantial time to completeFeature: CasesCases issuesPriority: HighIssues that are time-sensitive and/or are of high customer importanceTeam: Threat HuntingFormerly Data VisibilityblockedAn issue that's currently blocked because it’s pending info or action from stakeholders.v8.18.0v9.0.0

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions